Credential Phishing Targeting Government Evolves | Cofense

Keypoints

• The phishing campaigns spoof U.S. government departments (Department of Labor, Department of Commerce, Department of Transportation) to target energy and professional services sectors.
• Sender addresses shifted from dol-gov.us to dot.gov appearances, and sending IPs were associated with Hivelocity Inc ASN; some servers identified themselves as Microsoft IIS.
• PDFs attached to emails have evolved from simple documents to customized, department-mapped files with authentic-looking metadata (e.g., WisDOT) and watermarks.
• The credential phishing page begins as a DoL/DoC/DoT-like homepage with an extra “bid” button, then redirects to a multi-page flow that collects credentials.
• The flow uses HTTPS, long subdomains with .gov cues, and link routes like /bidwindow.htm → /openbid.php → /completegen.html, culminating in a /bidwindowverify.htm captcha step.
• Victims are redirected back to the legitimate department site after credential submission, making detection harder; phishing training is emphasized as a defense.
• Cofense Intelligence will continue tracking campaigns and sharing IOCs and rules to help customers predict and block similar attacks.